BreachExchange mailing list archives
I admit it, I'm a cyber security professional and I fell for a phishing email
From: Destry Winant <destry () riskbasedsecurity com>
Date: Sat, 10 Jun 2017 00:45:38 -0500
https://www.crn.com.au/feature/i-admit-it-im-a-cyber-security-professional-and-i-fell-for-a-phishing-email-464535 By lunchtime I had received flashing notifications of two emails that arrived in my Inbox that were important enough to warrant me to stop what I was doing, click on my Outlook and read them. The first email, purportedly from the Australian Securities and Investments Commission (ASIC), reminded me to renew my business name. It looked legitimate. As legitimate as any ASIC email I have ever seen. The email and page links contained within the email all pointed to verified ASIC addresses. The second email, purportedly from Origin Energy, advised me of my quarterly electricity bill. Again, it seemed perfectly legitimate and all links in the email pointed to valid Origin energy pages. Both emails lacked any attachments that could have aroused suspicions. On both emails there was a call to action - a "Renew your Business Name" link was in the ASIC email, and a "View Your Bill" link was in the Origin email. When is an email legit? Here were two very authentic looking emails. But as an infosec professional, I know better, right? Back in the day, checking hyperlinks stringently to determine the integrity of an email wouldn't have entered most people's minds. Today, this is no longer the case. It's all part of being "web smart". I instantly knew the "Origin Energy" email was fraudulent. Why? Because Origin are not my electricity or gas supplier and I know enough about the energy retail sector to know that they are not affiliated in any way with my actual energy supplier. So I cast the miscreant email off to the Deleted folder without a second glance. Tony 1 - Hacker 0. The "ASIC" email on the other hand… well. Like many people looking to make ends meet, I operate a part-time business and I am aware that my business name renewal is coming up. Again, the email seems, feels and looks legit. So, I clicked on the "renew your business name" link. A download commenced and shortly thereafter and upon completion, it was picked up by my endpoint anti-malware software as a malicious file. I had scored an own goal before recovering a goal in the last second of the game. Tony 2 - Hacker 1. Coach furious. Even professionals stuff up sometimes Years ago, I read the story of Eastern Air Lines Flight 401. A flight crew with over 50,000 hours combined flying time had managed to crash their plane into the Everglades in Florida because a blown indicator light had diverted the entire crews attention away from the fact that the autopilot had disengaged. That story came to my mind while I was pondering my actions only a few seconds earlier. I was fortunate because I had a number of mechanisms to protect me. Our organisation deploys a full suite of layered security and I can attest to the quality and reliability of the systems we have in place. Our corporate network runs a plethora of security platforms and scanning utilities to prevent any lateral movement of malware if by some chance it managed to infect my laptop. In addition, my corporate workspace and personal workspaces on the BYOD laptop are segregated. At no point was the corporate network ever in jeopardy. My corporate email account rarely sees fraudulent email come through the door due to these excellent defences. However, my part-time business email account, isn't filtered by the corporate spam and ransomware filters. And that's where these two emails came in from. The outer technical defences of the corporate network (the spam filter and firewall) were completely bypassed due to my private email address being the source of the malicious emails. To add to this, my usually spot-on decision making capabilities were duped, partially due to a very convincing email and partially due to the heightened state of urgency I felt I had to renew my business name. Fortunately for both my organisation and myself, the last line of defence, the endpoint security solution, was up to date, current and industry-leading. Failing this, I also have an up to date backup of my data in numerous locations that I could restore from if absolutely necessary. Some people will argue "well, this is what happens when you bring a BYOD device". Fair point. However, 74 percent of organisations had either adopted or were planning to adopt BYOD back in 2015 and I would tentatively say this number is now north of 90 percent. Hardly a compelling argument. The experiences of the day were a simple case study in why layered security plus a backup policy is the most effective protection against hackers. The victim blame game I am certain that some of my contemporaries in the infosec space will read this and think to themselves "you idiot!" This misplaced arrogance demonstrates the biggest problem in today's cyber security world. There are very few areas of society where we treat the victim of a crime with the same level of contempt that cyber security professionals treat victims of cyber crime. Many of those in the infosec industry think that everyone should know how to identify fraudulent emails, malicious links and dodgey websites and if they fall victim to a phishing scam, they are stupid. To challenge this, recently, there was an article about hackers using letters in the Cyrillic alphabet to create websites for phishing purposes. Even the most eagle-eyed infosec professional would have trouble distinguishing between https://www.аррӏе.com and https://www.apple.com and yet they take you to two completely different websites. I argue that blaming the victim is very short sighted and in fact downright egotistical. Education is key Today's world means that from birth, children are surrounded by devices that form part of the age of information. My soon-to-be three year old daughter knows how to use an iPad and iPhone, can switch between her favourite apps and has recently decided to enjoy Daddy's Spotify music, flicking through songs she likes and adjusting the volume as she sees fit. In a few short years' time, my children will go to school. It is likely that a tablet will be part of their school backpack and an essential part of their learning. And yet, even right now, there is little to no emphasis on including information security awareness as a compulsory subject in the school curriculum that, in my view, should commence in kindergarten and continue to Year 12. Social media is everywhere and children, especially, want to feel part of social groups with their friends and be part of society. Yet again, there is little formalised education around social media awareness offered at a school level to children who are learning to become adults. Little by way of teaching children what is appropriate to volunteer publicly. Little by way of what should be communicated electronically and what is in their interests not to. My mother started using an iPad several years ago purely to keep in contact with family and friends overseas through social media. For many adults, the age of information came to them later in their lives and most are simply not aware of the risks associated with living online. I have no doubt that not only should information security should be taught in schools as a compulsory subject similar to home economics is, it is in the national interest to provide free education to all adults on information security principles. I'll leave it to the policy makers to determine how Home Economics for the Digital Era should look like - whether it's through change to state and federal education curricula, through subsidies to employers, or by offering free training for adults, a holistic approach to being educated in the digital age should be as essential as mathematics, English and science are. _______________________________________________ BreachExchange mailing list sponsored by Risk Based Security BreachExchange () lists riskbasedsecurity com If you wish to Edit your membership or Unsubscribe you can do so at the following link: https://lists.riskbasedsecurity.com/listinfo/breachexchange
Current thread:
- I admit it, I'm a cyber security professional and I fell for a phishing email Destry Winant (Jun 12)